By: Aishwarya S. Nair and Kushal Agarwal

INTRODUCTION

In 2019, Marriott International was fined £18.4 million under the General Data Protection Regulation (hereinafter ‘GDPR’) for data breaches linked to one of its acquisitions, Starwood Hotels. The FTC alleges that failure to comply with the GDPR regulations resulted in three breaches, out of which two were completely before the acquisition of Starwood by Marriott. Most importantly, the third breach that started in 2018 (before the acquisition) went undetected due to which the breach infiltrated Marriott’s own network till February 2020. This was considered to be one of the biggest data breaches, where 5.2 million guest records containing significant personal information, including but not limited to 5.25 million unencrypted passport information, payment card numbers, email addresses, and loyalty numbers, were compromised.

Notably, the breaches date back to 2014, well before Marriott’s 2016 acquisition of Starwood, yet the penalty was imposed on Marriott for failing to identify and remediate vulnerabilities in the acquired entity’s data infrastructure. Therefore, this case forms a classic example of how due diligence in mergers and acquisitions now extends beyond financial metrics to include data privacy as a core deal consideration. Crucially, in light of the Digital Personal Data Protection Act, 2023 (hereinafter ‘the Act’), the need for acquiring companies to navigate this evolving landscape of data privacy and security has only intensified.

This article explores key data privacy and security considerations under the Act that companies must evaluate during buy-side M&A transactions to balance data protection and regulatory compliance. It begins by examining the core obligations imposed by the Act and their implications for M&A. Thereafter, the authors outline practical measures that acquiring companies can adopt to ensure compliance. Finally, the article highlights practices followed by serial acquirers in foreign jurisdictions, which can be transposed to the Indian context vis-à-vis the DPDP Act.

THE DPDP ACT IN THE CONTEXT OF M&A

The DPDP Act is the first comprehensive data protection law implemented in India and has triggered significant changes in how companies are required to process personal data. It applies not only to Indian entities or companies handling personal data but also has an extraterritorial effect, covering the processing of digital personal data by foreign entities offering goods or services to individuals in India. Other important considerations under the Act, relevant to the M&A suggestions discussed in the third section, are outlined below:

1. Consent-Based Processing

Under the Act, consent-based processing refers to situations where companies or entities, termed “Data Fiduciaries,” process digital personal data only after explicitly obtaining consent from individuals, referred to as “Data Principals.” The data fiduciary is also required to provide a notice to the data principal before processing their data, clearly specifying the purpose of such processing and delineating the rights of the data principal. This has to be done to ensure that the consent obtained is free, informed, unconditional, and unambiguous.

In the context of mergers and acquisitions, this requirement becomes particularly significant, as the process often involves the transfer or consolidation of personal data. Therefore, the acquiring company also becomes obligated to obtain consent from the data principals, just like the target company, before processing their data.

2. Obligations of Data Fiduciaries

The Act imposes various obligations on data fiduciaries, including purpose limitation and data minimisation, as outlined in Section 5(2). This provision mandates that personal data must be processed solely for the purposes explicitly stated in the notice provided to data principals and must be deleted once it is no longer necessary for the stated purpose.

Accordingly, when data systems are integrated following a merger, the acquiring entity is obligated to uphold these data protection standards. The burden of compliance primarily rests on the acquiring entity, which steps into the role of the data fiduciary previously held by the target company. This obligation is reinforced by the significant penalties for breach or non-compliance set out in the Act.

3. Penalties for breaches or non-compliance (₹250 crore+ fines)

The penalties under the Act range between ₹10,000 to ₹250 crores, depending on the nature and gravity of the breach or non-compliance. Given the magnitude of these penalties, it is essential that the acquiring entity treats data protection compliance as one of the core components of legal and regulatory due diligence.

RECOMMENDATIONS

In this section, the authors recommend data protection practices from foreign jurisdictions that can be leveraged to facilitate mergers and acquisitions. These practices may either be voluntarily adopted by companies or formally integrated into the Act to strengthen enforcement mechanisms during legal and due diligence processes.

1.     Data Mapping

Data mapping refers to the systematic process of identifying and cataloguing the flow of personal data across an organisation. This includes detailing the types of data collected (e.g., names, financial information), the purposes for processing, data storage locations (on-premise or cloud), the format of storage, retention schedules, and third-party sharing arrangements. This enables structured data governance, highlights compliance gaps, and facilitates audit readiness.

Under Article 30 of the GDPR, organisations are required to maintain detailed Records of Processing Activities (RoPA), a formalised and enforceable form of data mapping. The UK Information Commissioner’s Office (ICO) also mandates RoPA and provides practical templates to help organisations comply. Inclusion of data mapping in the DPDP Act would enable tracking compliance of key obligations such as consent tracking, data minimisation, etc.

In the backdrop of M&A, data mapping enables the acquiring company to transparently assess the target’s data assets and processing activities in a structured manner, evaluate existing compliance mechanisms, and arrive at a more accurate enterprise valuation based on the target’s data practices. This also facilitates a smoother transition in the event of an acquisition or data consolidation involving both the target and acquiring companies. In the Indian context, companies can mandate data mapping disclosures as a condition precedent in M&A transactions, as this helps trace whether data usage aligns with stated purposes, supporting compliance with the principles of purpose limitation and data minimisation under the DPDP Act.

2.     Privacy Impact Assessment

A Privacy Impact Assessment (hereinafter ‘PIA’) is a structured risk assessment tool used to identify, evaluate, and mitigate privacy risks arising from data processing activities. It is instrumental in uncovering potential compliance gaps that may otherwise be overlooked in a transactional context.

Under Article 35 of the GDPR, conducting a PIA is mandatory when data processing is likely to result in a high risk to the rights and freedoms of individuals. Regulatory bodies in other jurisdictions, such as the UK ICO, the Office of the Australian Information Commissioner, and the New Zealand Privacy Commissioner, have also published comprehensive guidelines on how to carry out PIAs. In the United States, PIAs are mandated under the E-Government Act of 2002 for federal agencies implementing systems that involve personal data.

In M&A scenarios, PIAs help the acquiring company assess whether the target’s data practices align with legal obligations under the Act relating to transparency, notice, and purpose limitation, and whether any latent privacy risks could translate into future liabilities. When data-driven businesses are being acquired in India, especially in the fields of fintechs, edtechs and healthtechs, PIAs can be used as a voluntary annexure to legal due diligence or data protection impact assessment reports to meet the requirement of risk assessment as encompassed by Section 10(1) and Section 10(2)(iii) of the DPDP Act. Companies can also integrate PIAs into board-level data governance policies by requiring audit or legal committees to present PIA summaries before final approval of mergers. This embeds privacy risk assessment into the standard risk review process for acquisitions or investment decisions, promoting ethical governance and avoiding inheritance of risks, such as those seen in the Marriott International case.

3. Sectoral Risk Stratification and Third-Party Assessors

The U.S. has a well-developed regime of sectoral data laws, such as the Health Insurance Portability and Accountability Act (HIPAA) for health data, the Gramm-Leach-Bliley Act (GLBA) for financial data and state-level consumer privacy laws such as the California Privacy Rights Act (CPRA). These frameworks impose varying compliance obligations depending on the type and volume of data within each sector.

In contrast, India currently lacks such sector-specific data protection laws. This raises an important question in the context of horizontal, conglomerate, or congeneric mergers and acquisitions: how should due diligence be conducted when the acquiring and target companies are subject to different regulatory obligations, process different categories of data, and face varying levels of data protection risk?

Until India develops a more granular framework of sector-specific rules under the DPDP regime, risk-based stratification through PIAs conducted by independent third-party assessors can serve as a practical interim solution for ensuring robust data governance in mergers. These assessors can be neutral, certified privacy professionals, similar to Data Protection Officers under the EU GDPR.

PIA by third-party assessors would assist in evaluating differences in sector-specific compliance requirements between the acquiring and target companies and identify any additional obligations that may arise following the integration of their data systems. The findings and recommendations of third-party assessors can help the acquiring company implement corrective measures or additional safeguards, thereby mitigating the risk of post-merger non-compliance or data breaches.

CONCLUSION

In 2022 and 2024, two major insurance entities, Policybazaar and Star Health Insurance, through third-party vendors they had employed, faced data breaches in which sensitive details of millions of customers, including details of defence security personnel, were leaked. While this may not be a case of M&A, it still highlights how individual companies face serious data privacy concerns independently, which become even more vulnerable during an M&A transaction between two entities. Although the DPDP Act imposes stringent obligations on entities involved in such transactions, advancements in technology have made personal data increasingly vulnerable to misuse. This warrants heightened scrutiny during its transfer or consolidation in the M&A process. Moreover, data asymmetry and data monopolies arising from mergers can distort competition, and the adverse impact of such breaches or non-compliance can be multifold. Therefore, to strengthen compliance, acquiring entities should adopt the aforementioned international best practices, such as mandatory data mapping and Privacy Impact Assessments conducted by independent third-party assessors. These practices can help bridge different compliance regimes and identify necessary safeguards post-merger. These measures, along with internal governance policies, would equip acquirers to navigate the evolving data privacy landscape more effectively and avoid inheriting significant compliance and reputational risks.

(Aishwarya S. Nair is a fourth-year B.A. LL.B. (Hons.) student at the Rajiv Gandhi National University of Law, Punjab. Kushal Agrawal is a fourth-year B.A. LL.B. (Hons.) student at the Hidayatullah National Law University, Raipur. The authors may be contacted via mail at aishwaryanair22271@rgnul.ac.in and kushal.org777@gmail.com, respectively.)